In one of my last articles, I wrote about installing, customizing and about the functionality of the ADFS servers.
Today I want to write about the ADFS / Azure Multi-Factor Authentication server (MFA). In Q2 of the last year Microsoft announced an app called “Microsoft Authenticator”. The functionality is similar to Google’s authentication App “Google Authenticator”.
The Microsoft authenticator app lets you quickly and securely verify your identity online, for all of your accounts. A variety of features are available for many types of accounts.
To download the App for your device, you can simply hit the link below. It only depends on which device type you have:
As I wrote earlier, the functionality of the app works similar like the one of Google, or (maybe the older generation of the readers here) a hardware security token.
The cool thing with this app is, that you are able to manage multiple services from third party companies by this app. For example: Github, Dropbox or Facebook.
So far so good, let’s talk about how to set it up…
As a first point there are following prerequisites needed:
- Windows server 2016: WAP with Exchange 2016
- MFA for Exchange OWA and ECP
- Exchange 2016 and ADFS authentication (for accepting ADFS Claims)
Before we go to run our steps for the installation, let us have a look on the final architecture:
First, in our scenario, we start with a WAP-Server, on which we have installed the ADFS-Proxy role. Please note: we do not need IIS for that on the WAP, neither on the ADFS server!
In our LAN environment, we have our Exchange server on which we run IIS.
On the Exchange server, we will be installing the second MFA server, on which we can configure the web services.
Here a high level view of the WAP:
Installing the web application server (WAP) is not a big deal. Important to know is that the server is located in the DMZ and is not a domain member. That means in our case, we are not able to use a domain account to login or install the role on the server. In this case, the server is running in a Workgroup and I will be logging in with an account which has administrative permissions.
After the login we have to install a SSL certificate on the WAP, which we want to use for the WAP. For the next step we need to copy the thumbprint of the certificate.
We open the PowerShell console and run the following commands:
$FScredential = Get-Credential
Install-WebApplicationProxy -FederationServiceName "FS01.Contoso.com" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a11s3d5g50b2c3d0a1b2c8r4tf6583d0a1b2c3d"
For more information about setting up Web Application Proxy, you can follow this Microsoft Link.
In this article, I will not explain every step of configuring ADFS and WAP with each other. Microsoft has a good documentation about it, which you can find HERE.
So let’s now start the installation of the MFA on our Exchange server…
First we sign in to the Azure portal as an administrator. Then we navigate to Active Directory > MFA Server.
Select Server settings, and now hit on Download. Download the installer and follow the instructions.
After you downloaded the MFA server, double-click the .exe and start the setup.
On the Select Installation Folder screen, make sure that the folder is correct and click Next.
Once the installation is complete, click Finish. The configuration wizard launches.
Now we have configured the WAP and ADFS server and we also installed the MFA server on our Exchange server. Now, the next step we need to go to is, installing the web service.
For that we follow these steps:
- Login to the Exchange server
- Run the MFA-Server
- Choose SDK web services
- Chose the site “Default Web Site” and then enter the Virtual Directory “MFAwebserviceSDK”. For the application pool choose “DefaultAppPool”
- Push Next to start the installation.
Back on the page that you downloaded the MFA server installer from, click the Generate Activation Credentials button. Copy this information into the Azure MFA Server in the boxes provided and click Activate.
After you have installed the MFA, you can see in your IIS that you have a new directory, which is called “MFAwebservicesSDK”.
Now we need to install the MFA App service…
To do that we have to logon to the server where the IIS and MFA is installed. In our case we go to the Exchange server. After the logon to the server, we need to browse to the following directory:
“C:\Program Files\Multi-Factor Authentication Server”. Once you have opened the path, you will find a file which is called “MultiFactorAuthenticationMobileAppWebServiceSetup64.msi“.
When you found it, double click it and proceed with the following steps:
- Choose “Default Web Site” -> describe the virtual directory with “MFA” -> ApplicationPool: “Default App Pool”
Than click Next for the installation.
If you now have a look at your IIS, you will notice that there is a new directory called “MFA”
If you right click the new directory, choose “Open in Explorer” and there you open the file “web.config” in an editor.
In this file you need to edit the following two tags:
After that, you also need to edit the path (further down in the same file).
In the tag pfpaws.properties.setting you need to modify the URL, then save the Web.Config and this part is done.
Now we’ll go on to configure our App service…
On the ADFS server, or on a MFA multi server replication to another MFA-server we simply have to configure the mobile application. This URL is the one we also have to publish to the internet. This is needed for the mobile devices to access it.
We have to login to our ADFS server, now, open our MFA-server and then we browse to the “Mobile Application”.
Now we modify our web service URL to https://mail.contoso.com/mfa.
In the ADFS-MFA settings, we simply have to activate 3 points:
- Allow user registration
- Mobile application
- activate protocolling
In the ADFS Company settings, we have to set the following:
- User Defaults: Mobile app and Pin is selected
- The rest is configured as on the picture below (exept the Standard, here we choose PIN)
Let’s now publish our MFA App…
To make our mobile devices able to connect to the MFA service, we need to publish our URL. To do that we can use our WAP server, which we configured in the beginning. For this part we simply can use PowerShell on the WAP server and run the following command:
Add-WebApplicationProxyApplication -ExternalUrl https://mail.contoso.com/mfa/ -BackendServerUrl https://mail.contoso.com/mfa/ -ExternalPreauthentication PassThrough -ExternalCertificateThumbprint "0a11s3d5g50b2c3d0a1b2c8r4tf6583d0a1b2c3d" -Name "MFA APP"
After running this command, the publishing rule is set.
So, we are done! – Almost…
As last step, you have to verify if all is working as expected and configured.
I hope all worked well for you and this article helped you with implementing Microsoft MFA.